Importing and syncing users and groups at logon time

As an LDAP administrator, you can enable the import of users and their associated groups from a SAML 2.0-based identity provider (IdP) in your company into BMC Helix Portal at logon time. You can also download, configure, and run the LDAP sync agent to sync users and groups along with their mapping. For more information, see Running the LDAP sync agent.

Each time a user logs on to the BMC Helix Portal console:

  • The logged in user and associated groups are imported. 
  • Changes related to the user and associated groups are synced when the same user logs in again.

The imported users and groups are displayed in the same way as the manually created users and user groups, with the type External.

The imported users and groups are displayed on the User access >  page and the User access >  page respectively. 


Before you begin

Open a BMC Support case to connect your Identity Provider (IdP) to BMC Helix Portal for authentication. Share your IdP metadata with BMC Support. This metadata is used by BMC Helix Portal to establish a trust relationship with IdP. Your IdP administrator can provide this information.

About IdP metadata

In the Security Assertion Markup Language (SAML) authentication, the IdP metadata refers to an XML document that contains configuration information about the Identity Provider. The IdP metadata typically includes the following information:

  • EntityID: A unique identifier for the IdP.
  • Single Sign-On (SSO) URL - The URL where the IdP accepts SAML authentication requests.
  • Single Logout (SLO) URL - The URL where the IdP accepts SAML logout requests.
  • Certificate - The public key certificate that is used to sign SAML assertions or other security-related elements.
  • Supported SAML bindings - The supported SAML protocols and bindings for SSO and SLO.
  • Assertion Consumer Service (ACS) URLs - The URLs to which the IdP sends SAML assertions after successful authentication.
  • NameID Formats - The supported formats for the unique identifier of the user (NameID).
  • Attribute mappings - The mapping of user attributes between the IdP and SP, defining which attributes are released to the SP.

The specific format and structure of the IdP metadata document can vary depending on the SAML implementation and the IdP software being used. It is usually an XML file that follows the SAML metadata specification.  


To import and sync users and groups at logon time

  1. Ensure that SAML is configured and user group sync is enabled. Contact BMC Support to configure Helix Single Sign-On as described in Configuring authentication.

  2. Use one of the following methods to import user details from the SAML assertion:
    • Import users and groups along with their mapping:
      To use this method, perform the following steps:
      1. Create an external user with the same login ID as the LDAP admin user. 
        For more information, see Setting up users.
      2. Assign the external user to a role with all permissions or at a minimum all permissions to the Identity Management Service application or service. 
        For more information, see Setting up roles and permissions.
      3. Ask users to log on to the BMC Helix Portal console.
        BMC Helix Portal updates the user and group membership in the following way:
        1. Logged-in users are automatically created with the type External.
        2. Groups associated with the logged-in users are automatically created with the type External. 
        3. Logged-in users are automatically mapped with the groups.
      4. Assign the imported groups to relevant roles with appropriate permissions.

    • Create a default role: Create a default role with administrator permissions. When an IdP user who is not associated with any group logs in, the user gets associated with the role to manage other users. This default role can be removed later after the first tenant administrator is on-boarded. For information about making a role as default, see Setting up roles and permissions.

      If an IdP user is already associated with groups, the default role is not assigned after the user logs in to BMC Helix Portal.
       

    • Import users with their mapping information: Groups need to be created manually before the import and permissions need to be assigned to the groups. Doing this permission assignment, ensures that all the imported users are automatically mapped to the groups with appropriate permissions the very first time. This method is also useful for syncing changes made to the users and groups.

      Best practice

      If you are planning to use an integrated product that requires an additional step to provide permissions, we recommend this method.

      For example, in BMC Helix Operations Management you need to create authorization profiles to provide appropriate permissions to groups. To ensure that users have the appropriate permissions at logon time, you need to create groups in BMC Helix Portal. Then, you need to assign the groups to the appropriate roles in BMC Helix Portal and the appropriate authorization profiles in BMC Helix Operations Management.

      To use this method, perform the following steps:

      1. Create user groups with the same name as the groups managed by your IdP. 
        For more information, see Setting up user groups.
      2. Assign the user groups to roles with appropriate permissions. 
        For more information, see Setting up roles and permissions.
      3. Ask users to log on to the BMC Helix Portal console.
        BMC Helix Portal updates the user and group membership in the following way:
        1. Logged-in users are automatically created with the type External.
        2. The existing user groups are updated with the new details from the IdP and the type is changed to External.
        3. The user groups are automatically mapped to the logged-in users.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*